cbcvebase.
CVE-2020-28579
published 2020-11-18

CVE-2020-28579: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
49.29%
98.7th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send a specially crafted HTTP message and achieve remote code execution with elevated privileges.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<host>:8443/urlf_reclassifyurl.jsp
port8443
path/urlf_reclassifyurl.jsp
path/uilogonsubmit.jsp
path/rest/windows_client_status
path/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
filenamelibuiauutil.so
path/usr/iwss/AdminUI/ui_ctl.sh
commandcurl -ski -d 'wherefrom=&wronglogon=no&uid=reports_only_user&passwd= &pwd=Log+On' https:// :8443/uilogonsubmit.jsp
commandcurl -ski --cookie 'JSESSIONID=B3C8680FE9EEE804422FD8813D58496A' -d 'op=send&url=MyUrl&sender_note=MySendNote&mailsubject=MyMailSubject&sender_addr='$(python -c "print 'A'*0x10000") https:// :8443/urlf_reclassifyurl.jsp?CSRFGuardToken=55MYNQKMBK8KC3EB9TXC3FKOQH372OGX
  • Monitor for large POST requests to /urlf_reclassifyurl.jsp on port 8443 with an oversized sender_addr parameter (e.g., repeated 'A' characters), indicative of a stack buffer overflow attempt via strcat in MailNotification.
  • Detect POST requests to /rest/windows_client_status on port 8443 with an oversized password parameter, indicative of the unauthenticated stack buffer overflow (CVE-2020-28578) via strcpy in Java_com_trend_iwss_gui_IWSSJNI_DecryptPasswd.
  • Alert on POST requests to /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on port 8443 containing shell metacharacters in VLAN-related parameters, indicative of command injection via AddVLANItem calling system().
  • The exploit chain for CVE-2020-28579 requires a valid session (JSESSIONID cookie) and a CSRFGuardToken; correlate authenticated sessions followed immediately by anomalously large POST bodies to /urlf_reclassifyurl.jsp.
  • Successful exploitation results in code execution as the 'iscan' OS account; alert on unexpected processes spawned by the iscan user on IWSVA appliances.
  • ·Exploitation of CVE-2020-28579 requires authentication; a low-privileged 'reports only' account is sufficient, lowering the bar for attackers with any valid credentials.
  • ·The vulnerable MailNotification function is in libuiauutil.so; if this shared library is updated or patched, the overflow vector is removed. Verify the library version on deployed appliances.
  • ·The attack targets Trend Micro IWSVA 6.5 SP2 build 1901 specifically; confirm build number before applying detection rules to avoid false positives on patched builds.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.